From: Andrey Konovalov <andreyknvl@google.com>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
kasan-dev@googlegroups.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, mingo@redhat.com
Cc: kcc@google.com, Andrey Konovalov <andreyknvl@google.com>
Subject: [PATCH 0/2] kasan,stacktrace: improve error reports
Date: Tue, 8 Nov 2016 20:37:48 +0100 [thread overview]
Message-ID: <cover.1478632698.git.andreyknvl@google.com> (raw)
This patchset improves KASAN reports by making the following changes:
1. Changes header format from:
[ 24.247214] BUG: KASAN: use-after-free in kmalloc_uaf+0xad/0xb9 [test_kasan] at addr ffff88006bbb38a8
[ 24.247301] Write of size 1 by task insmod/3852
to
[ 19.338308] BUG: KASAN: use-after-free in kmalloc_uaf+0xad/0xb9 [test_kasan]
[ 19.338387] Write of size 1 at addr ffff88006af77968 by task insmod/3840
2. Unifies header format between different kinds of bad accesses.
3. Adds empty lines between parts of the report to improve readability.
4. Improves slab object description, before:
[ 24.247301] Object at ffff88006bbb38a0, in cache kmalloc-16 size: 16
now:
[ 19.338387] The buggy address belongs to the object at ffff88006af77960
[ 19.338387] which belongs to the cache kmalloc-16 of size 16
[ 19.338387] The buggy address ffff88006af77968 is located 8 bytes inside
[ 19.338387] of 16-byte region [ffff88006af77960, ffff88006af77970)
5. Fixes printing timeframes twice in alloc and free stack traces.
6. Improves mm/kasan/report.c readability.
This is what a test use-after-free report looks like now:
[ 19.337402] ==================================================================
[ 19.338308] BUG: KASAN: use-after-free in kmalloc_uaf+0xad/0xb9 [test_kasan]
[ 19.338387] Write of size 1 at addr ffff88006af77968 by task insmod/3840
[ 19.338387]
[ 19.338387] page:ffffea0001abddc0 count:1 mapcount:0 mapping: (null) index:0x0
[ 19.338387] flags: 0x100000000000080(slab)
[ 19.338387] page dumped because: kasan: bad access detected
[ 19.338387]
[ 19.338387] CPU: 0 PID: 3840 Comm: insmod Tainted: G B 4.9.0-rc4+ #394
[ 19.338387] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[ 19.338387] ffff880063d6f9a8 ffffffff81b46b74 ffff880063d6fa38 ffff88006af77968
[ 19.338387] 00000000000000fa 00000000000000fb ffff880063d6fa28 ffffffff8150aa92
[ 19.338387] ffffffff8120812d ffff880063d6fa00 0000000000000282 0000000000000296
[ 19.338387] Call Trace:
[ 19.338387] [<ffffffff81b46b74>] dump_stack+0xb3/0x10f
[ 19.338387] [<ffffffff8150aa92>] kasan_report_error+0x122/0x560
[ 19.338387] [<ffffffff8120812d>] ? trace_hardirqs_on+0xd/0x10
[ 19.338387] [<ffffffffa001928c>] ? copy_user_test+0x24f/0x24f [test_kasan]
[ 19.338387] [<ffffffff8150b04e>] __asan_report_store1_noabort+0x3e/0x40
[ 19.338387] [<ffffffffa0018609>] ? kmalloc_uaf+0xad/0xb9 [test_kasan]
[ 19.338387] [<ffffffffa0018609>] kmalloc_uaf+0xad/0xb9 [test_kasan]
[ 19.338387] [<ffffffffa00192db>] kmalloc_tests_init+0x4f/0x79 [test_kasan]
[ 19.338387] [<ffffffff81000560>] do_one_initcall+0xa0/0x230
[ 19.338387] [<ffffffff810004c0>] ? initcall_blacklisted+0x170/0x170
[ 19.338387] [<ffffffff81509e1b>] ? kasan_kmalloc+0xab/0xe0
[ 19.338387] [<ffffffff81509cb5>] ? kasan_unpoison_shadow+0x35/0x50
[ 19.338387] [<ffffffff81509d4c>] ? __asan_register_globals+0x7c/0xa0
[ 19.338387] [<ffffffff8140d696>] do_init_module+0x1c1/0x516
[ 19.338387] [<ffffffff812bbe1d>] load_module+0x65ed/0x8f90
[ 19.338387] [<ffffffff812b2f70>] ? __symbol_put+0xb0/0xb0
[ 19.338387] [<ffffffffa001002d>] ? __UNIQUE_ID_vermagic8+0x36ff9f20d843/0x36ff9f20d846 [test_kasan]
[ 19.338387] [<ffffffff812b5830>] ? module_frob_arch_sections+0x20/0x20
[ 19.338387] [<ffffffff83fc1f5f>] ? retint_kernel+0x10/0x10
[ 19.338387] [<ffffffff81207f90>] ? trace_hardirqs_on_caller+0x420/0x5b0
[ 19.338387] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 19.338387] [<ffffffff83fc1f5f>] ? retint_kernel+0x10/0x10
[ 19.338387] [<ffffffff812be97c>] SYSC_init_module+0x1bc/0x1d0
[ 19.338387] [<ffffffff812be7c0>] ? load_module+0x8f90/0x8f90
[ 19.338387] [<ffffffff81207f90>] ? trace_hardirqs_on_caller+0x420/0x5b0
[ 19.338387] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 19.338387] [<ffffffff812beaf9>] SyS_init_module+0x9/0x10
[ 19.338387] [<ffffffff83fc1581>] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 19.338387]
[ 19.338387] The buggy address belongs to the object at ffff88006af77960
[ 19.338387] which belongs to the cache kmalloc-16 of size 16
[ 19.338387] The buggy address ffff88006af77968 is located 8 bytes inside
[ 19.338387] of 16-byte region [ffff88006af77960, ffff88006af77970)
[ 19.338387]
[ 19.338387] Freed by task 3840:
[ 19.338387] [<ffffffff8107e236>] save_stack_trace+0x16/0x20
[ 19.338387] [<ffffffff81509ba6>] save_stack+0x46/0xd0
[ 19.338387] [<ffffffff8150a403>] kasan_slab_free+0x73/0xc0
[ 19.338387] [<ffffffff815068e8>] kfree+0xe8/0x2b0
[ 19.338387] [<ffffffffa00185e1>] kmalloc_uaf+0x85/0xb9 [test_kasan]
[ 19.338387] [<ffffffffa00192db>] kmalloc_tests_init+0x4f/0x79 [test_kasan]
[ 19.338387] [<ffffffff81000560>] do_one_initcall+0xa0/0x230
[ 19.338387] [<ffffffff8140d696>] do_init_module+0x1c1/0x516
[ 19.338387] [<ffffffff812bbe1d>] load_module+0x65ed/0x8f90
[ 19.338387] [<ffffffff812be97c>] SYSC_init_module+0x1bc/0x1d0
[ 19.338387] [<ffffffff812beaf9>] SyS_init_module+0x9/0x10
[ 19.338387] [<ffffffff83fc1581>] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 19.338387]
[ 19.338387] Allocated by task 3840:
[ 19.338387] [<ffffffff8107e236>] save_stack_trace+0x16/0x20
[ 19.338387] [<ffffffff81509ba6>] save_stack+0x46/0xd0
[ 19.338387] [<ffffffff81509e1b>] kasan_kmalloc+0xab/0xe0
[ 19.338387] [<ffffffff8150554c>] kmem_cache_alloc_trace+0xec/0x270
[ 19.338387] [<ffffffffa00185b2>] kmalloc_uaf+0x56/0xb9 [test_kasan]
[ 19.338387] [<ffffffffa00192db>] kmalloc_tests_init+0x4f/0x79 [test_kasan]
[ 19.338387] [<ffffffff81000560>] do_one_initcall+0xa0/0x230
[ 19.338387] [<ffffffff8140d696>] do_init_module+0x1c1/0x516
[ 19.338387] [<ffffffff812bbe1d>] load_module+0x65ed/0x8f90
[ 19.338387] [<ffffffff812be97c>] SYSC_init_module+0x1bc/0x1d0
[ 19.338387] [<ffffffff812beaf9>] SyS_init_module+0x9/0x10
[ 19.338387] [<ffffffff83fc1581>] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 19.338387]
[ 19.338387] Memory state around the buggy address:
[ 19.338387] ffff88006af77800: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[ 19.338387] ffff88006af77880: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[ 19.338387] >ffff88006af77900: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[ 19.338387] ^
[ 19.338387] ffff88006af77980: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
[ 19.338387] ffff88006af77a00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[ 19.338387] ==================================================================
This is what a test use-after-free report looked like before:
[ 24.246351] ==================================================================
[ 24.247214] BUG: KASAN: use-after-free in kmalloc_uaf+0xad/0xb9 [test_kasan] at addr ffff88006bbb38a8
[ 24.247301] Write of size 1 by task insmod/3852
[ 24.247301] CPU: 1 PID: 3852 Comm: insmod Tainted: G B 4.9.0-rc4+ #393
[ 24.247301] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[ 24.247301] ffff88006a647980 ffffffff81b46a64 ffff88006c801b40 ffff88006bbb38a0
[ 24.247301] ffff88006bbb38b0 ffff88006bbb38a0 ffff88006a6479a8 ffffffff8150a86c
[ 24.247301] ffff88006a647a38 ffff88006c801b40 ffff8800ebbb38a8 ffff88006a647a28
[ 24.247301] Call Trace:
[ 24.247301] [<ffffffff81b46a64>] dump_stack+0xb3/0x10f
[ 24.247301] [<ffffffff8150a86c>] kasan_object_err+0x1c/0x70
[ 24.247301] [<ffffffff8150ab07>] kasan_report_error+0x1f7/0x4d0
[ 24.247301] [<ffffffff8120812d>] ? trace_hardirqs_on+0xd/0x10
[ 24.247301] [<ffffffffa001928c>] ? copy_user_test+0x24f/0x24f [test_kasan]
[ 24.247301] [<ffffffff8150af5e>] __asan_report_store1_noabort+0x3e/0x40
[ 24.247301] [<ffffffffa0018609>] ? kmalloc_uaf+0xad/0xb9 [test_kasan]
[ 24.247301] [<ffffffffa0018609>] kmalloc_uaf+0xad/0xb9 [test_kasan]
[ 24.247301] [<ffffffffa00192db>] kmalloc_tests_init+0x4f/0x79 [test_kasan]
[ 24.247301] [<ffffffff81000560>] do_one_initcall+0xa0/0x230
[ 24.247301] [<ffffffff810004c0>] ? initcall_blacklisted+0x170/0x170
[ 24.247301] [<ffffffff81509e4b>] ? kasan_kmalloc+0xab/0xe0
[ 24.247301] [<ffffffff81509ce5>] ? kasan_unpoison_shadow+0x35/0x50
[ 24.247301] [<ffffffff81509d7c>] ? __asan_register_globals+0x7c/0xa0
[ 24.247301] [<ffffffff8140d6c6>] do_init_module+0x1c1/0x516
[ 24.247301] [<ffffffff812bbe4d>] load_module+0x65ed/0x8f90
[ 24.247301] [<ffffffff812b2fa0>] ? __symbol_put+0xb0/0xb0
[ 24.247301] [<ffffffffa001002d>] ? __UNIQUE_ID_vermagic8+0x36ff9f26d843/0x36ff9f26d846 [test_kasan]
[ 24.247301] [<ffffffff812b5860>] ? module_frob_arch_sections+0x20/0x20
[ 24.247301] [<ffffffff83fc1f5f>] ? retint_kernel+0x10/0x10
[ 24.247301] [<ffffffff81207f90>] ? trace_hardirqs_on_caller+0x420/0x5b0
[ 24.247301] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 24.247301] [<ffffffff83fc1f5f>] ? retint_kernel+0x10/0x10
[ 24.247301] [<ffffffff812be9ac>] SYSC_init_module+0x1bc/0x1d0
[ 24.247301] [<ffffffff812be7f0>] ? load_module+0x8f90/0x8f90
[ 24.247301] [<ffffffff81207f90>] ? trace_hardirqs_on_caller+0x420/0x5b0
[ 24.247301] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 24.247301] [<ffffffff812beb29>] SyS_init_module+0x9/0x10
[ 24.247301] [<ffffffff83fc1581>] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 24.247301] Object at ffff88006bbb38a0, in cache kmalloc-16 size: 16
[ 24.247301] Allocated:
[ 24.247301] PID = 3852
[ 24.247301] [ 24.247301] [<ffffffff8107e236>] save_stack_trace+0x16/0x20
[ 24.247301] [ 24.247301] [<ffffffff81509bd6>] save_stack+0x46/0xd0
[ 24.247301] [ 24.247301] [<ffffffff81509e4b>] kasan_kmalloc+0xab/0xe0
[ 24.247301] [ 24.247301] [<ffffffff8150557c>] kmem_cache_alloc_trace+0xec/0x270
[ 24.247301] [ 24.247301] [<ffffffffa00185b2>] kmalloc_uaf+0x56/0xb9 [test_kasan]
[ 24.247301] [ 24.247301] [<ffffffffa00192db>] kmalloc_tests_init+0x4f/0x79 [test_kasan]
[ 24.247301] [ 24.247301] [<ffffffff81000560>] do_one_initcall+0xa0/0x230
[ 24.247301] [ 24.247301] [<ffffffff8140d6c6>] do_init_module+0x1c1/0x516
[ 24.247301] [ 24.247301] [<ffffffff812bbe4d>] load_module+0x65ed/0x8f90
[ 24.247301] [ 24.247301] [<ffffffff812be9ac>] SYSC_init_module+0x1bc/0x1d0
[ 24.247301] [ 24.247301] [<ffffffff812beb29>] SyS_init_module+0x9/0x10
[ 24.247301] [ 24.247301] [<ffffffff83fc1581>] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 24.247301] Freed:
[ 24.247301] PID = 3852
[ 24.247301] [ 24.247301] [<ffffffff8107e236>] save_stack_trace+0x16/0x20
[ 24.247301] [ 24.247301] [<ffffffff81509bd6>] save_stack+0x46/0xd0
[ 24.247301] [ 24.247301] [<ffffffff8150a433>] kasan_slab_free+0x73/0xc0
[ 24.247301] [ 24.247301] [<ffffffff81506918>] kfree+0xe8/0x2b0
[ 24.247301] [ 24.247301] [<ffffffffa00185e1>] kmalloc_uaf+0x85/0xb9 [test_kasan]
[ 24.247301] [ 24.247301] [<ffffffffa00192db>] kmalloc_tests_init+0x4f/0x79 [test_kasan]
[ 24.247301] [ 24.247301] [<ffffffff81000560>] do_one_initcall+0xa0/0x230
[ 24.247301] [ 24.247301] [<ffffffff8140d6c6>] do_init_module+0x1c1/0x516
[ 24.247301] [ 24.247301] [<ffffffff812bbe4d>] load_module+0x65ed/0x8f90
[ 24.247301] [ 24.247301] [<ffffffff812be9ac>] SYSC_init_module+0x1bc/0x1d0
[ 24.247301] [ 24.247301] [<ffffffff812beb29>] SyS_init_module+0x9/0x10
[ 24.247301] [ 24.247301] [<ffffffff83fc1581>] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 24.247301] Memory state around the buggy address:
[ 24.247301] ffff88006bbb3780: fb fb fc fc fb fb fc fc 00 00 fc fc 00 00 fc fc
[ 24.247301] ffff88006bbb3800: 00 00 fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[ 24.247301] >ffff88006bbb3880: fb fb fc fc fb fb fc fc 00 00 fc fc fb fb fc fc
[ 24.247301] ^
[ 24.247301] ffff88006bbb3900: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
[ 24.247301] ffff88006bbb3980: 00 00 fc fc 00 00 fc fc fb fb fc fc 00 00 fc fc
[ 24.247301] ==================================================================
Andrey Konovalov (2):
stacktrace: fix print_stack_trace printing timestamp twice
kasan: improve error reports
kernel/stacktrace.c | 6 +-
mm/kasan/report.c | 246 +++++++++++++++++++++++++++++++++++-----------------
2 files changed, 169 insertions(+), 83 deletions(-)
--
2.8.0.rc3.226.g39d4020
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Andrey Konovalov <andreyknvl@google.com>
To: Andrey Ryabinin <aryabinin@virtuozzo.com>,
Alexander Potapenko <glider@google.com>,
Dmitry Vyukov <dvyukov@google.com>,
kasan-dev@googlegroups.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, mingo@redhat.com
Cc: kcc@google.com, Andrey Konovalov <andreyknvl@google.com>
Subject: [PATCH 0/2] kasan,stacktrace: improve error reports
Date: Tue, 8 Nov 2016 20:37:48 +0100 [thread overview]
Message-ID: <cover.1478632698.git.andreyknvl@google.com> (raw)
This patchset improves KASAN reports by making the following changes:
1. Changes header format from:
[ 24.247214] BUG: KASAN: use-after-free in kmalloc_uaf+0xad/0xb9 [test_kasan] at addr ffff88006bbb38a8
[ 24.247301] Write of size 1 by task insmod/3852
to
[ 19.338308] BUG: KASAN: use-after-free in kmalloc_uaf+0xad/0xb9 [test_kasan]
[ 19.338387] Write of size 1 at addr ffff88006af77968 by task insmod/3840
2. Unifies header format between different kinds of bad accesses.
3. Adds empty lines between parts of the report to improve readability.
4. Improves slab object description, before:
[ 24.247301] Object at ffff88006bbb38a0, in cache kmalloc-16 size: 16
now:
[ 19.338387] The buggy address belongs to the object at ffff88006af77960
[ 19.338387] which belongs to the cache kmalloc-16 of size 16
[ 19.338387] The buggy address ffff88006af77968 is located 8 bytes inside
[ 19.338387] of 16-byte region [ffff88006af77960, ffff88006af77970)
5. Fixes printing timeframes twice in alloc and free stack traces.
6. Improves mm/kasan/report.c readability.
This is what a test use-after-free report looks like now:
[ 19.337402] ==================================================================
[ 19.338308] BUG: KASAN: use-after-free in kmalloc_uaf+0xad/0xb9 [test_kasan]
[ 19.338387] Write of size 1 at addr ffff88006af77968 by task insmod/3840
[ 19.338387]
[ 19.338387] page:ffffea0001abddc0 count:1 mapcount:0 mapping: (null) index:0x0
[ 19.338387] flags: 0x100000000000080(slab)
[ 19.338387] page dumped because: kasan: bad access detected
[ 19.338387]
[ 19.338387] CPU: 0 PID: 3840 Comm: insmod Tainted: G B 4.9.0-rc4+ #394
[ 19.338387] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[ 19.338387] ffff880063d6f9a8 ffffffff81b46b74 ffff880063d6fa38 ffff88006af77968
[ 19.338387] 00000000000000fa 00000000000000fb ffff880063d6fa28 ffffffff8150aa92
[ 19.338387] ffffffff8120812d ffff880063d6fa00 0000000000000282 0000000000000296
[ 19.338387] Call Trace:
[ 19.338387] [<ffffffff81b46b74>] dump_stack+0xb3/0x10f
[ 19.338387] [<ffffffff8150aa92>] kasan_report_error+0x122/0x560
[ 19.338387] [<ffffffff8120812d>] ? trace_hardirqs_on+0xd/0x10
[ 19.338387] [<ffffffffa001928c>] ? copy_user_test+0x24f/0x24f [test_kasan]
[ 19.338387] [<ffffffff8150b04e>] __asan_report_store1_noabort+0x3e/0x40
[ 19.338387] [<ffffffffa0018609>] ? kmalloc_uaf+0xad/0xb9 [test_kasan]
[ 19.338387] [<ffffffffa0018609>] kmalloc_uaf+0xad/0xb9 [test_kasan]
[ 19.338387] [<ffffffffa00192db>] kmalloc_tests_init+0x4f/0x79 [test_kasan]
[ 19.338387] [<ffffffff81000560>] do_one_initcall+0xa0/0x230
[ 19.338387] [<ffffffff810004c0>] ? initcall_blacklisted+0x170/0x170
[ 19.338387] [<ffffffff81509e1b>] ? kasan_kmalloc+0xab/0xe0
[ 19.338387] [<ffffffff81509cb5>] ? kasan_unpoison_shadow+0x35/0x50
[ 19.338387] [<ffffffff81509d4c>] ? __asan_register_globals+0x7c/0xa0
[ 19.338387] [<ffffffff8140d696>] do_init_module+0x1c1/0x516
[ 19.338387] [<ffffffff812bbe1d>] load_module+0x65ed/0x8f90
[ 19.338387] [<ffffffff812b2f70>] ? __symbol_put+0xb0/0xb0
[ 19.338387] [<ffffffffa001002d>] ? __UNIQUE_ID_vermagic8+0x36ff9f20d843/0x36ff9f20d846 [test_kasan]
[ 19.338387] [<ffffffff812b5830>] ? module_frob_arch_sections+0x20/0x20
[ 19.338387] [<ffffffff83fc1f5f>] ? retint_kernel+0x10/0x10
[ 19.338387] [<ffffffff81207f90>] ? trace_hardirqs_on_caller+0x420/0x5b0
[ 19.338387] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 19.338387] [<ffffffff83fc1f5f>] ? retint_kernel+0x10/0x10
[ 19.338387] [<ffffffff812be97c>] SYSC_init_module+0x1bc/0x1d0
[ 19.338387] [<ffffffff812be7c0>] ? load_module+0x8f90/0x8f90
[ 19.338387] [<ffffffff81207f90>] ? trace_hardirqs_on_caller+0x420/0x5b0
[ 19.338387] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 19.338387] [<ffffffff812beaf9>] SyS_init_module+0x9/0x10
[ 19.338387] [<ffffffff83fc1581>] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 19.338387]
[ 19.338387] The buggy address belongs to the object at ffff88006af77960
[ 19.338387] which belongs to the cache kmalloc-16 of size 16
[ 19.338387] The buggy address ffff88006af77968 is located 8 bytes inside
[ 19.338387] of 16-byte region [ffff88006af77960, ffff88006af77970)
[ 19.338387]
[ 19.338387] Freed by task 3840:
[ 19.338387] [<ffffffff8107e236>] save_stack_trace+0x16/0x20
[ 19.338387] [<ffffffff81509ba6>] save_stack+0x46/0xd0
[ 19.338387] [<ffffffff8150a403>] kasan_slab_free+0x73/0xc0
[ 19.338387] [<ffffffff815068e8>] kfree+0xe8/0x2b0
[ 19.338387] [<ffffffffa00185e1>] kmalloc_uaf+0x85/0xb9 [test_kasan]
[ 19.338387] [<ffffffffa00192db>] kmalloc_tests_init+0x4f/0x79 [test_kasan]
[ 19.338387] [<ffffffff81000560>] do_one_initcall+0xa0/0x230
[ 19.338387] [<ffffffff8140d696>] do_init_module+0x1c1/0x516
[ 19.338387] [<ffffffff812bbe1d>] load_module+0x65ed/0x8f90
[ 19.338387] [<ffffffff812be97c>] SYSC_init_module+0x1bc/0x1d0
[ 19.338387] [<ffffffff812beaf9>] SyS_init_module+0x9/0x10
[ 19.338387] [<ffffffff83fc1581>] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 19.338387]
[ 19.338387] Allocated by task 3840:
[ 19.338387] [<ffffffff8107e236>] save_stack_trace+0x16/0x20
[ 19.338387] [<ffffffff81509ba6>] save_stack+0x46/0xd0
[ 19.338387] [<ffffffff81509e1b>] kasan_kmalloc+0xab/0xe0
[ 19.338387] [<ffffffff8150554c>] kmem_cache_alloc_trace+0xec/0x270
[ 19.338387] [<ffffffffa00185b2>] kmalloc_uaf+0x56/0xb9 [test_kasan]
[ 19.338387] [<ffffffffa00192db>] kmalloc_tests_init+0x4f/0x79 [test_kasan]
[ 19.338387] [<ffffffff81000560>] do_one_initcall+0xa0/0x230
[ 19.338387] [<ffffffff8140d696>] do_init_module+0x1c1/0x516
[ 19.338387] [<ffffffff812bbe1d>] load_module+0x65ed/0x8f90
[ 19.338387] [<ffffffff812be97c>] SYSC_init_module+0x1bc/0x1d0
[ 19.338387] [<ffffffff812beaf9>] SyS_init_module+0x9/0x10
[ 19.338387] [<ffffffff83fc1581>] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 19.338387]
[ 19.338387] Memory state around the buggy address:
[ 19.338387] ffff88006af77800: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[ 19.338387] ffff88006af77880: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[ 19.338387] >ffff88006af77900: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[ 19.338387] ^
[ 19.338387] ffff88006af77980: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
[ 19.338387] ffff88006af77a00: 00 00 fc fc 00 00 fc fc 00 00 fc fc fb fb fc fc
[ 19.338387] ==================================================================
This is what a test use-after-free report looked like before:
[ 24.246351] ==================================================================
[ 24.247214] BUG: KASAN: use-after-free in kmalloc_uaf+0xad/0xb9 [test_kasan] at addr ffff88006bbb38a8
[ 24.247301] Write of size 1 by task insmod/3852
[ 24.247301] CPU: 1 PID: 3852 Comm: insmod Tainted: G B 4.9.0-rc4+ #393
[ 24.247301] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[ 24.247301] ffff88006a647980 ffffffff81b46a64 ffff88006c801b40 ffff88006bbb38a0
[ 24.247301] ffff88006bbb38b0 ffff88006bbb38a0 ffff88006a6479a8 ffffffff8150a86c
[ 24.247301] ffff88006a647a38 ffff88006c801b40 ffff8800ebbb38a8 ffff88006a647a28
[ 24.247301] Call Trace:
[ 24.247301] [<ffffffff81b46a64>] dump_stack+0xb3/0x10f
[ 24.247301] [<ffffffff8150a86c>] kasan_object_err+0x1c/0x70
[ 24.247301] [<ffffffff8150ab07>] kasan_report_error+0x1f7/0x4d0
[ 24.247301] [<ffffffff8120812d>] ? trace_hardirqs_on+0xd/0x10
[ 24.247301] [<ffffffffa001928c>] ? copy_user_test+0x24f/0x24f [test_kasan]
[ 24.247301] [<ffffffff8150af5e>] __asan_report_store1_noabort+0x3e/0x40
[ 24.247301] [<ffffffffa0018609>] ? kmalloc_uaf+0xad/0xb9 [test_kasan]
[ 24.247301] [<ffffffffa0018609>] kmalloc_uaf+0xad/0xb9 [test_kasan]
[ 24.247301] [<ffffffffa00192db>] kmalloc_tests_init+0x4f/0x79 [test_kasan]
[ 24.247301] [<ffffffff81000560>] do_one_initcall+0xa0/0x230
[ 24.247301] [<ffffffff810004c0>] ? initcall_blacklisted+0x170/0x170
[ 24.247301] [<ffffffff81509e4b>] ? kasan_kmalloc+0xab/0xe0
[ 24.247301] [<ffffffff81509ce5>] ? kasan_unpoison_shadow+0x35/0x50
[ 24.247301] [<ffffffff81509d7c>] ? __asan_register_globals+0x7c/0xa0
[ 24.247301] [<ffffffff8140d6c6>] do_init_module+0x1c1/0x516
[ 24.247301] [<ffffffff812bbe4d>] load_module+0x65ed/0x8f90
[ 24.247301] [<ffffffff812b2fa0>] ? __symbol_put+0xb0/0xb0
[ 24.247301] [<ffffffffa001002d>] ? __UNIQUE_ID_vermagic8+0x36ff9f26d843/0x36ff9f26d846 [test_kasan]
[ 24.247301] [<ffffffff812b5860>] ? module_frob_arch_sections+0x20/0x20
[ 24.247301] [<ffffffff83fc1f5f>] ? retint_kernel+0x10/0x10
[ 24.247301] [<ffffffff81207f90>] ? trace_hardirqs_on_caller+0x420/0x5b0
[ 24.247301] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 24.247301] [<ffffffff83fc1f5f>] ? retint_kernel+0x10/0x10
[ 24.247301] [<ffffffff812be9ac>] SYSC_init_module+0x1bc/0x1d0
[ 24.247301] [<ffffffff812be7f0>] ? load_module+0x8f90/0x8f90
[ 24.247301] [<ffffffff81207f90>] ? trace_hardirqs_on_caller+0x420/0x5b0
[ 24.247301] [<ffffffff8100301a>] ? trace_hardirqs_on_thunk+0x1a/0x1c
[ 24.247301] [<ffffffff812beb29>] SyS_init_module+0x9/0x10
[ 24.247301] [<ffffffff83fc1581>] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 24.247301] Object at ffff88006bbb38a0, in cache kmalloc-16 size: 16
[ 24.247301] Allocated:
[ 24.247301] PID = 3852
[ 24.247301] [ 24.247301] [<ffffffff8107e236>] save_stack_trace+0x16/0x20
[ 24.247301] [ 24.247301] [<ffffffff81509bd6>] save_stack+0x46/0xd0
[ 24.247301] [ 24.247301] [<ffffffff81509e4b>] kasan_kmalloc+0xab/0xe0
[ 24.247301] [ 24.247301] [<ffffffff8150557c>] kmem_cache_alloc_trace+0xec/0x270
[ 24.247301] [ 24.247301] [<ffffffffa00185b2>] kmalloc_uaf+0x56/0xb9 [test_kasan]
[ 24.247301] [ 24.247301] [<ffffffffa00192db>] kmalloc_tests_init+0x4f/0x79 [test_kasan]
[ 24.247301] [ 24.247301] [<ffffffff81000560>] do_one_initcall+0xa0/0x230
[ 24.247301] [ 24.247301] [<ffffffff8140d6c6>] do_init_module+0x1c1/0x516
[ 24.247301] [ 24.247301] [<ffffffff812bbe4d>] load_module+0x65ed/0x8f90
[ 24.247301] [ 24.247301] [<ffffffff812be9ac>] SYSC_init_module+0x1bc/0x1d0
[ 24.247301] [ 24.247301] [<ffffffff812beb29>] SyS_init_module+0x9/0x10
[ 24.247301] [ 24.247301] [<ffffffff83fc1581>] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 24.247301] Freed:
[ 24.247301] PID = 3852
[ 24.247301] [ 24.247301] [<ffffffff8107e236>] save_stack_trace+0x16/0x20
[ 24.247301] [ 24.247301] [<ffffffff81509bd6>] save_stack+0x46/0xd0
[ 24.247301] [ 24.247301] [<ffffffff8150a433>] kasan_slab_free+0x73/0xc0
[ 24.247301] [ 24.247301] [<ffffffff81506918>] kfree+0xe8/0x2b0
[ 24.247301] [ 24.247301] [<ffffffffa00185e1>] kmalloc_uaf+0x85/0xb9 [test_kasan]
[ 24.247301] [ 24.247301] [<ffffffffa00192db>] kmalloc_tests_init+0x4f/0x79 [test_kasan]
[ 24.247301] [ 24.247301] [<ffffffff81000560>] do_one_initcall+0xa0/0x230
[ 24.247301] [ 24.247301] [<ffffffff8140d6c6>] do_init_module+0x1c1/0x516
[ 24.247301] [ 24.247301] [<ffffffff812bbe4d>] load_module+0x65ed/0x8f90
[ 24.247301] [ 24.247301] [<ffffffff812be9ac>] SYSC_init_module+0x1bc/0x1d0
[ 24.247301] [ 24.247301] [<ffffffff812beb29>] SyS_init_module+0x9/0x10
[ 24.247301] [ 24.247301] [<ffffffff83fc1581>] entry_SYSCALL_64_fastpath+0x1f/0xc2
[ 24.247301] Memory state around the buggy address:
[ 24.247301] ffff88006bbb3780: fb fb fc fc fb fb fc fc 00 00 fc fc 00 00 fc fc
[ 24.247301] ffff88006bbb3800: 00 00 fc fc fb fb fc fc fb fb fc fc fb fb fc fc
[ 24.247301] >ffff88006bbb3880: fb fb fc fc fb fb fc fc 00 00 fc fc fb fb fc fc
[ 24.247301] ^
[ 24.247301] ffff88006bbb3900: 00 00 fc fc 00 00 fc fc 00 00 fc fc 00 00 fc fc
[ 24.247301] ffff88006bbb3980: 00 00 fc fc 00 00 fc fc fb fb fc fc 00 00 fc fc
[ 24.247301] ==================================================================
Andrey Konovalov (2):
stacktrace: fix print_stack_trace printing timestamp twice
kasan: improve error reports
kernel/stacktrace.c | 6 +-
mm/kasan/report.c | 246 +++++++++++++++++++++++++++++++++++-----------------
2 files changed, 169 insertions(+), 83 deletions(-)
--
2.8.0.rc3.226.g39d4020
next reply other threads:[~2016-11-08 19:38 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-08 19:37 Andrey Konovalov [this message]
2016-11-08 19:37 ` [PATCH 0/2] kasan,stacktrace: improve error reports Andrey Konovalov
2016-11-08 19:37 ` [PATCH 1/2] stacktrace: fix print_stack_trace printing timestamp twice Andrey Konovalov
2016-11-08 19:37 ` Andrey Konovalov
2016-11-09 16:10 ` Andrey Ryabinin
2016-11-09 16:10 ` Andrey Ryabinin
2016-11-25 17:40 ` Dmitry Vyukov
2016-11-25 17:40 ` Dmitry Vyukov
2016-11-25 19:35 ` Joe Perches
2016-11-25 19:35 ` Joe Perches
2016-11-08 19:37 ` [PATCH 2/2] kasan: improve error reports Andrey Konovalov
2016-11-08 19:37 ` Andrey Konovalov
2016-11-09 16:23 ` Andrey Ryabinin
2016-11-09 16:23 ` Andrey Ryabinin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1478632698.git.andreyknvl@google.com \
--to=andreyknvl@google.com \
--cc=aryabinin@virtuozzo.com \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.